# Pricing — Whisper for OT · flat, predictable, per-asset

> Security you pay *more* for the moment a plant is attacked is priced backwards.
> Whisper is flat, per-asset, per year — not per connection, per lookup, or per seat.
> Keyless verify is free forever, attribution is never metered. A line item you can forecast.

Usage-metered tooling bills per connection, per lookup, per analyst seat — so the invoice
climbs as you inventory more assets and spikes exactly during the incident, when you can
least afford to ration a hunt. Against a site carrying tens of thousands of assets — and
145,000+ ICS services already sitting exposed on the open internet — a meter is a number
you cannot forecast. **We price the other way.**

`whisper verify --trustless` costs nothing and needs no account — our own API is not in the trust path.

- **$0** — Keyless verify, resolve and back-trace, free forever, no account
- **1×** — One flat per-asset/year figure — not per-connection, per-lookup or per-seat
- **0** — usage meters on attribution; never ration a hunt mid-incident
- **1** — revoke replaces re-imaging a fleet or rolling a truck to every site
- **25%** — of 2024 OT ransomware caused a full site shutdown — the variable cost a flat line hedges (Dragos)
- **€15M** — EU CRA max fine (or 2.5% turnover) — the exposure evidence-in-the-box de-risks

---

## The pricing principle

**A meter that climbs with every asset you inventory — and spikes when you're attacked —
isn't a price. It's a risk.** Two curves. One rises with every asset you add, every
connection, every lookup your analysts run chasing a rotating adversary — and peaks
precisely during the incident. The other is a flat line you set once and forecast for years.

```
annual cost
  ▲
  │                                             ╱ usage-metered
  │                                        ╱╱      (per connection · lookup · seat)
  │                                  ╱╱          ◀── under attack: billed most when it hurts most
  │                          ╱╱╱
  │                ╱╱╱╱
  │        ╱╱╱╱
  ├──────────────────────────────────────────── Whisper · flat per-asset / year
  │        (set once · forecast for years · attribution never metered)
  └──────────────────────────────────────────────▶ asset inventory · lookup volume · incident load
       the gap between the lines is the overage a flat price never charges
```

- **Per-asset, not per-transaction** — priced to the thing you govern (the asset, PLC, RTU, gateway or HMI), so a chatty plant or a noisy incident never moves the invoice.
- **Attribution is never metered** — run `identify`, `walk`, `history` and Cypher as hard as an incident demands; no per-lookup tax means your OT SOC never rations a hunt.
- **Additive, not another bill** — it sits on top of the OT monitoring, SIEM and threat-intel you already own as a feed; no per-seat licence, no data-egress fee, no new console, no appliance in the plant path.

---

## Three tiers · one primitive

Start keyless. Prove it on a plant zone. Roll it across the site — flat the whole way.
POC → pilot → enterprise, exactly the path an OT security program buys on. Every tier speaks
the same *address-is-the-asset* primitive; you only widen how much of the plant it covers,
never re-platform and never touch a PLC.

### POC — keyless, then a handful · **$0 to start**

No procurement. Verify free forever; provision a handful of asset identities hands-on. The
keyless half of the platform — trustless, anchored at the IANA root, our API never in the
path — plus a first taste of the identity plane:

- `whisper verify --trustless` any asset identity
- Resolve and reverse-resolve a /128, read its RDAP
- Back-trace a suspicious /128 to the asset behind it — reverse-DNS + RDAP, no key
- Provision a handful of asset /128s from the OPC UA `ApplicationUri` or serial

### Pilot — one plant zone · fixed scope

A bounded zone, time-boxed, one flat price. Everything in POC, keyed to a defined zone so an
OT lead can prove value before the board — the full control plane on a slice of the plant:

- Provision asset identities from `ApplicationUri` / IDevID / serial for the zone
- Full attribution graph — unmetered during the pilot
- MUD-style egress governance — `op:policy` / `firewall` / `budget` / `revoke`
- Reverse observability — `op:lookups` shows who's enumerating your assets
- SIEM feed: Splunk & Microsoft Sentinel today (STIX 2.1 / TAXII on the roadmap)
- EU CRA Annex I + IEC 62443-4-2 CR 1.2 evidence export

### Enterprise — flat per-asset / year · site quote

One rate, quoted to your asset count. It doesn't move. The whole program, all three planes,
across every asset on the site or fleet — the way a CISO buys defence-in-depth:

- Identity, attribution graph and egress governance, site-wide
- Unlimited attribution — no per-lookup meter, ever
- On-prem or your own tenant — GDPR / data-residency by construction
- Availability-safe: no inline OT chokepoint, **fail-open**, anycast on AS219419
- Enterprise support and SLA, supplier interface agreements

Coverage widens POC → pilot → enterprise; the per-asset rate is the same at every width. You
are buying more of the same primitive, never a different product.

**Why a quote, not a sticker.** A site price is one number, but the right number depends on
asset count, on-prem vs tenant, and the standards evidence you need — so we quote it flat and
in writing, and it holds for the term. No usage true-ups, no surprise line at renewal.
Get a site quote → <https://console.whisper.security/sign-up>

---

## What each tier includes

The keyless verification a peer operator, a regulator, an insurer or an integrator needs to
check an asset's identity is free at every tier — on principle. The keyed tiers widen
coverage and feed your stack; they never gate the ability to *verify*.

| Capability | POC | Pilot | Enterprise |
|---|---|---|---|
| Trustless verify / resolve / RDAP (`whisper verify --trustless`) | ✓ | ✓ | ✓ |
| Trace a /128 to the asset behind it (reverse-DNS + RDAP) | ✓ | ✓ | ✓ |
| Public transparency log — every mint & revoke (tamper-evident today) | ✓ | ✓ | ✓ |
| Asset /128 provisioning (`register`, DANE-EE pin, `revoke`) | a handful | a plant zone | site-wide |
| Full attribution graph (`identify`, `origins`, `walk`, `history`, Cypher) | — | plant zone | unlimited |
| MUD-style egress governance (`op:policy` / `firewall` / `budget` / `revoke`) | — | plant zone | site-wide |
| Reverse observability — who's enumerating your assets (`op:lookups`) | — | plant zone | site-wide |
| SIEM feed: Splunk & Microsoft Sentinel connectors today · CEF/ECS | — | ✓ | ✓ |
| EU CRA Annex I + IEC 62443-4-2 CR 1.2 evidence (STIX/TAXII on roadmap) | — | ✓ | ✓ |
| On-prem / own tenant (data residency, GDPR) | — | — | ✓ |
| Availability-safe — no inline OT chokepoint · fail-open · anycast | ✓ | ✓ | ✓ |
| Enterprise support & SLA · supplier interface agreements | — | pilot support | ✓ |
| Metered by usage (per connection / lookup / seat) | never | never | never |

**One line per asset — the legacy floor included.** An asset that speaks OPC UA passes its
`ApplicationUri` as the `device_id`; an 802.1AR IDevID device passes its serial. A dumb
Modbus PLC behind a gateway gets a verifiable /128, PTR and RDAP for the first time — and
it's still *one* per-asset line, with no premium for being old. (A first-class typed
`--application-uri` argument is on the roadmap; today you pass it as `device_id`.)

---

## Where the flat number pays for itself

The ROI isn't a promise — it's the costs the flat line takes off your books: per-site
firewall toil, incident blast radius, audit effort, truck-rolls, analyst hours, and
re-platform risk.

- **Micro-segmentation without per-site firewall rules.** A per-asset /128 plus a default-deny egress allow-list is a conduit at *asset* granularity — additive to your 62443 zones, keyed to a verifiable identity, not a hand-maintained VLAN-and-ACL matrix per site. One declared policy travels with the asset; no bespoke firewall rules to re-derive at every brownfield plant.
- **One revoke, not re-imaging a fleet.** Contain a compromised asset in one call — `op:revoke` tears down its /128, PTR and DANE pin worldwide at DNS-TTL, cross-org, no CRL you hope each device fetched and no truck rolled to every site. The eventual on-box remediation is yours; the immediate containment is one line.
- **CRA / 62443 evidence in the box.** Findings arrive mapped to **EU CRA Annex I** 2(d) identity, 2(j) attack-surface and 2(l) logging, and to **IEC 62443-4-2 CR 1.2** + 3-3 zones-and-conduits — a byproduct of the tool, not a separate consulting line before a 2027 CE deadline.
- **Blast-radius reduction without OT downtime.** It rides existing DNS/IPv6 and adds **no inline OT chokepoint** — the verify/DANE path is built to fail open, so a Whisper outage never bricks a PLC. You shrink the blast radius of a convergence-bridge compromise without a change window or a plant stop.
- **Analyst hours you stop burning.** Correlating a rotating, meaningless *last IP* across Amazon, Google and Azure is manual and never converges. The graph collapses the rotation to one operator with a replayable evidence chain — and because attribution is unmetered, the meter never punishes an analyst for looking harder mid-incident.
- **A vendor that will still be here.** No per-connection true-up, no per-seat creep as your SOC grows, no data-egress fee. It's real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Longevity is the cheapest line in any TCO.

---

## A pricing model can be an attack surface. Ours isn't.

If security is metered, an adversary can run up your bill, and a defender rations their own
hunt. We priced those failure modes out.

> **"If attribution is metered, do my analysts have to ration lookups in the middle of an incident?"**
> Never. The graph is unmetered on the keyed tiers — `identify`, `walk`, `history` and Cypher
> run as hard as the hunt demands. There is no per-query line for an attacker to inflate and
> none for a defender to fear.

> **"Does my bill spike when I'm under attack, or just when I inventory more assets?"**
> Neither. The price is per-asset, set once, for the term. A traffic flood, an enumeration
> campaign against your plant, or commissioning a new line moves your risk — it doesn't move
> the invoice.

> **"Is the keyless tier a real capability, or a trap that expires into a sales call?"**
> Real, and permanent. Keyless `verify` is anchored at the IANA root — *our own API is not
> in the trust path*, so we couldn't gate it if we wanted to. Verifying an asset's identity
> is a public check; charging for the truth would defeat the point.

---

## The questions procurement always asks

- **What exactly is metered?** Nothing by usage. A flat rate per asset, per year — no per-connection charge, no per-lookup graph fee, no per-seat licence, no data-egress bill. The only variable is how many assets the program covers.
- **Can I try it without procurement?** Yes — the POC is free and keyless. Run `whisper verify --trustless` today, then provision a handful of asset /128s hands-on. A Pilot is a fixed, time-boxed engagement on one plant zone.
- **What happens as I inventory more assets?** The per-asset rate holds; the total scales linearly and predictably with asset count, quoted in writing for the term. No usage true-up, no renewal surprise.
- **Is this on top of my SIEM and OT-monitoring cost?** It's a feed *into* the SIEM and threat-intel you already run — the Splunk and Microsoft Sentinel connectors ship today — and additive to your OT monitoring. Not a replacement, not a second console to staff.
- **Can a Whisper outage take my plant down?** No. It adds **no inline OT chokepoint**; the verify/DANE path is built to fail open and rides anycast on AS219419. If we're slow or dark, checks degrade to your existing anchors — a Whisper outage never bricks a controller. Availability-safe is priced in, not a premium.
- **On-prem or hosted?** Either. The Enterprise tier runs on-prem or in your own tenant, so the graph and per-asset logs stay where your regulator needs them — at no metered premium.
- **What if I stop?** Identities are DNSSEC/DANE objects you can verify independently, and evidence exports are open formats (CEF, ECS; STIX and CRA/62443 JSON on the roadmap). No proprietary lock on your own asset attestations or compliance record.

---

## How it sits next to what you already buy

**Flat depth on top of the stack you already run — it doesn't replace a line, it de-risks the
whole one.** You already pay for OT monitoring, a SIEM, and a threat-intel subscription, and
you should keep them — Whisper is additive to all three. Where a per-connection cloud makes
the bill unforecastable and a rigid multi-module suite makes you buy packages you don't need,
a flat per-asset line adds the two layers no one else owns — publicly verifiable, key-derived
asset identity and cross-org attribution across rotating egress — without a meter and without
an appliance in the plant path.

| Pricing model | Forecastable? | Meter spikes under attack? |
|---|---|---|
| Per-connection / usage-metered cloud | hard | yes |
| Rigid multi-module OT suite (six-figure floor) | partly | n/a — over-scoped |
| Whisper — flat per-asset / year | yes | no |

**Honest boundary.** Whisper governs *who* may reach and speak to an asset and attributes
them — it does **not** add authentication to Modbus, DNP3 or PROFINET on the wire, and the
last-inch command check stays with your PLC or a protocol-aware gateway. It makes the
OT-monitoring, SIEM and threat-intel investments you already carry sharper, as a
machine-readable feed — not a thing they compete with. [See the full comparison →](/compare)

---

## One flat number. Every asset, covered.

Keyless verify is free forever — start there, no account. When you're ready, a site quote is
one flat per-asset/year figure you can forecast and defend. No meter, no surprise at renewal,
no appliance in the plant path.

Get a site quote → <https://console.whisper.security/sign-up> · [For OT security →](/for-ot-security)

Or run `whisper verify --trustless` right now — it costs nothing.

---

*Whisper for OT · Identity on the wire for industrial assets · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
